As InfoSec professionals, it’s easy to get sucked into the world of the "no risk allowed, ever" mentality that has become so common over the last few years. Thanks to the rise of open-source data sharing, high-security risk controls, and protocols have become the norm—and reaching a level of zero risk has become an obsession for many.
Understanding inherent and residual risk
Of course, it’s impossible to expect that there won’t be any risk associated with your organization, your vendors, or your customers. What is important is reaching the sweet spot for your organization between inherent risk, security controls and protocols, and residual risk.
Inherent risk is the level of risk an organization faces before security measures, safety protocols, and controls are implemented. This is the baseline level of risk your organization is starting with. Once your team puts its security measures in place, the excess risk is called residual risk.
Knowing how much residual risk is acceptable for your business can help your team understand the protocols and controls you need to implement.
How much risk is acceptable?
As stated above, we’re living and working in an open-source world where data sharing is the norm. You can’t simply lock things down from the outside world and expect to do business. Your partners must be able to access your information, and any access point opens up some risk. Your team has controls in place, of course, but here are some tips for determining how much residual risk is acceptable for your organization:
- What kind of data are you putting at risk? Various data types have different regulations and protocols (HIPAA or CCPA) to help protect the information in question.
- How robust are your contingency plans? Is your team ready to deal with the consequences if a security breach were to happen? Or do you need to avoid a breach at any cost?
- What do your vendor security protocols look like? If your vendors also have robust risk management protocols, it helps strengthen your internal controls without additional work.
Protect your data from threats with Whistic
With Whistic, your team can take a modern, direct approach to protecting your private data. Whistic delivers transparency across your risk management solutions for an accessible look at vendor connections, security assessments and answers, and timelines for upgrades or audits. With this level of visibility into risk management protocols, your team can keep tabs on residual risk levels and ensure that your team doesn’t slip into ‘too risky’ territory.
You can learn more and schedule your inside look at the Whistic here.